We passed 4000 subscribers
Thanks mates

seems Ethena frontend compromised. Please stay away and do not interact with it
@EthSecurity1

- This is the fundamental stuff that you will need on your journey as an auditor. - damn-vulnerable-defi-v4-solutions
Public by sunsec
https://github.com/SunWeb3Sec/damn-vulnerable-defi-v4-solutions @EthSecurity1

Decentraland's X has been compromised.
@EthSecurity1

Banana Gun user wallets have been compromised and drained
@EthSecurity1

Seems bingx CEX been drained
@Ethsecurity1

-The Hidden Risks of Hash Functions: Length Extension -- Attacks and Server-Side Security Vulnerabilities - Exploring Risks of On-Chain Options Exchanges: Part 1,2 @EthSecurity1

CharismaBtc hack post-mortem
183k $stx loss https://exvul.com/a-new-attack-on-bitcoin-defi/
@EthSecurity1

Binance data leak https://twitter.com/PabloSabbatella/status/1838238994091413994

this is old but interesting, if users in berachain blockchain send msg.value less than the amount they set, the MultiSwap contract (the router) will use BERA tokens it holds, which are small and isolated from the pools’ assets. https://x.com/dvzhangtz/status/1815771395328225361 this was patched by a white hat @EthSecurity

The ether.fi frontend has been compromised!
@EthSecurity1

- Rounding Errors For Auditors - Ethereum Transfers Heatmap
Observe hidden patterns in token transfers - Balancer Rounding Error Bugfix Review - Not Your Stdout Bug - RCE in Cosmos SDK
@EthSecurity1

unverified contract lost 140$ k https://nickfranklin.site/2024/09/25/unverified-contract0xff2481-hacked-by-reentrancy-attack/ @EthSecurity1

*critical* issue on Bedrock protocol.

The issue was exploited some hours later, but damage was contained.

Vulnerability was in minting uniBTC, a ~$75m asset (on Ethereum alone, plus much more on 8+ other chains).


Issue: Exploiter could mint 1unibtc with 1ether
BTC has 8 decimals, ETH has 18 decimals. If you send 1 ETH you get many times more than 1 BTC. There's not even price conversion involved, since in reality 1 BTC =~ 30 ETH.
@EthSecurity1

Web3 Ping of Death: Finding and Fixing a Chain-Halting Vulnerability in NEAR In December of 2023, Zellic's found a bug in NEAR's blockchain node. @EthSecurity1

https://github.com/marchev/security-reviews/blob/main/Flux-Security-Review-September-2024.pdf @EthSecurity1

https://mirror.xyz/0xF3c0C25090ae1458FC152947Aab57253cB8E0F0F/7dqKrAfS20rr3m_zuCwN80lChYTB0Cniie5IrdiC9ZQ First, tokens must be registered to be included in the current total balance of native or wrapped BTC tokens. Second, if a token is not registered, the contract returns 0, meaning it cannot be found in the tokenHolders variable. The following figure shows that only FBTC, WBTC, and cbBTC have been registered, while NATIVE_BTC has NOT. On one hand, NATIVE_BTC should NOT be registered in this contract, as it is not intended to be supported. On the other hand, failing to register NATIVE_BTC results in the totalSupply always being ZERO, which contradicts the caps restriction mechanism.

Since the total supply at that time was ZERO instead of reflecting the msg.value received by the contract, the check the Vault contract passed, allowing the minting of uniBTC using native tokens on non-native BTC chains.

Therefore, on a non-native BTC chain, replacing the balance with the total supply is acceptable for wrapped BTC tokens but problematic for native tokens.

@EthSecurity1

- 20 Common Solidity Beginner Mistakes - Try Catch and all the ways Solidity can revert @EthSecurity1